Fedora Account System
Red Hat Associate
Red Hat Customer
An information disclosure vulnerability in oslo.middleware was found. Software using the CatchError class may include sensitive values in the error message accompanying a Traceback, resulting in their disclosure. For example, complete API requests (including keystone tokens in their headers) may leak into neutron error logs. Affected versions: <=3.8.0, >=3.9.0 <=3.19.0, >=3.20.0 <=3.22.0
Acknowledgments: Name: the OpenStack project Upstream: Divya K Konoor (IBM)
Created attachment 1243810 [details] Ocata patch
Created attachment 1243811 [details] Newton patch
Created attachment 1243812 [details] Mitaka patch
Created python-oslo-middleware tracking bugs for this issue: Affects: openstack-rdo [bug 1417592] Affects: fedora-all [bug 1417593]
Public via: http://lists.openstack.org/pipermail/openstack-announce/2017-January/002002.html Upstream bug: https://bugs.launchpad.net/keystonemiddleware/+bug/1628031
*** Bug 1417538 has been marked as a duplicate of this bug. ***
This issue has been addressed in the following products: Red Hat OpenStack Platform 10.0 (Newton) Via RHSA-2017:0300 https://rhn.redhat.com/errata/RHSA-2017-0300.html
This issue has been addressed in the following products: Red Hat OpenStack Platform 9.0 (Mitaka) Via RHSA-2017:0435 https://rhn.redhat.com/errata/RHSA-2017-0435.html